Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using single column Holiday table how do I determine whether today is a holiday?

pm771
Communicator
‎09-08-2020 07:29 PM

I have a lookup CSV table that lists dates of holidays in a single column.

HolidayTable.csv:

HDate
1/1/2020
...................

 

I tried to use the following:

 

 

 

search ...
| eval currentdate=strftime(now(),"%-m/%-d/%Y") 
| lookup HolidayTable.csv HDate as currentdate OUTPUT HDate as Holiday
| eval Holiday=if(isnull(Holiday), "N", "Y")

 

 

 

My expectation was that when the current date matches a row in the table I will get the date  string and otherwise - null.

It does not seem to work this way.

What am I missing here?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

pm771
Communicator
‎09-24-2020 07:08 PM

[Following up with my own solution]

I ended up with creating a dummy 2nd column.

HDateOff
1/1/2020Y
...................Y

 

And with a slight change (used new column as returned value) my code started working:

 

 

 

search ...
| eval currentdate=strftime(now(),"%-m/%-d/%Y") 
| lookup HolidayTable.csv HDate as currentdate OUTPUT Off as Holiday
| eval Holiday=if(isnull(Holiday), "N", "Y")

 

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

pm771
Communicator
‎09-24-2020 07:08 PM

[Following up with my own solution]

I ended up with creating a dummy 2nd column.

HDateOff
1/1/2020Y
...................Y

 

And with a slight change (used new column as returned value) my code started working:

 

 

 

search ...
| eval currentdate=strftime(now(),"%-m/%-d/%Y") 
| lookup HolidayTable.csv HDate as currentdate OUTPUT Off as Holiday
| eval Holiday=if(isnull(Holiday), "N", "Y")

 

 

 

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-08-2020 08:24 PM

Your currentdate date format is wrong based on your example of 01/01/2020 in the CSV. Your format is

%-m/%-d

but it should be %m/%s, so it has leading zeros

 

0 Karma
Reply
Solved! Jump to solution

pm771
Communicator
‎09-09-2020 06:17 AM

It was a typo in my question. Month and day in my table are without leading zeroes.

Since the table is going to be maintained via Excel, I had to use the default date format.

I will update the question.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...